Quick Take

France Connect is the master key to 1,400+ French public services. One stolen France Connect login gives a scammer access to your taxes, health insurance, pension, CPF, driver license, and renovation subsidies. Fake emails claim your account will be suspended unless you confirm your identity. The real French government never sends suspension threats by email.

Why France Connect credentials are the biggest French phishing target

Most phishing campaigns chase one prize: a bank password, a Microsoft 365 login, a delivery code. France Connect is different. It is a single sign-on that the French state built so citizens stop juggling a different password for every administration. Beautiful from a user-experience angle. A nightmare the moment a scammer holds the keys.

One France Connect login can sign you into impots.gouv.fr, ameli.fr, retraite.fr, antai.gouv.fr, anah.fr, monespacesante.fr, the CPF portal, Pôle Emploi, MaPrimeRénov', the points-permis service, and over 1,400 other public services. Some of those have an extra 2FA layer, mainly impots and ameli for high-risk actions. Many do not. Once an attacker is in, they can chain attacks in minutes: read a tax notice, copy your social security number from ameli, file a fake address change at impots, raid your CPF training credit, and submit a MaPrimeRénov' refund to a mule account, all without you knowing until the first money moves.

One login. Eight separate financial relationships with the French state. That is why credential phishing targeting France Connect is the highest-leverage scam in France right now.

The 4 active phishing variants in 2026

Most fake emails fall into one of four buckets. Once you recognize the shape, you stop reading the body and start checking the sender.

Variant 1: Suspension threat. Subject line reads "France Connect: votre compte sera suspendu sous 24h" or "Action urgente: confirmation d'identité requise." Body claims unusual activity was detected on your account and that you need to confirm your identity to avoid permanent suspension. A blue button labelled "Confirmer mon identité" points at a lookalike domain. This is the dominant variant. The state never sends suspension threats by email.

Variant 2: Mon Espace Santé verification. Subject reads "Mon Espace Santé: activation requise sous 48h" or "Votre dossier médical numérique attend une vérification." Body says your health record is incomplete or needs a final confirmation step. Buttons lead to fake login pages that mimic the monespacesante.fr design exactly. The pull here is not financial, it is medical: prescription history sells well on identity-fraud markets, especially controlled substances and chronic-illness profiles.

Variant 3: New document available. Subject reads "Nouveau document médical disponible" or "Téléchargez votre relevé médical." This one feels less aggressive than variant 1 and trips fewer alarm bells. The link drops you on a fake Mon Espace Santé page that asks for your France Connect credentials to view the document. There is no document. There never was.

Variant 4: Vaccination certificate update. A leftover from the COVID era that still works on older citizens. Subject reads "Mise à jour de votre attestation vaccinale" or "Action requise: certificat sanitaire." Older users remember the TousAntiCovid flow and react without much thought. The fake page collects France Connect or ameli credentials.

The exact phrases scammers use

Real French government emails read formally and never threaten suspension. Fake emails lean on urgency and confirmation language. Here are four phrases that show up in the wild right now. If you see any of them in an email about a French public service, treat the entire message as hostile until you have logged in directly from a typed URL and confirmed nothing is wrong.

  • "France Connect: votre compte sera suspendu sous 24h" (France Connect: your account will be suspended within 24 hours)
  • "Mon Espace Santé: nouveau document à valider" (Mon Espace Santé: new document to validate)
  • "Confirmez votre identité numérique gouvernementale" (Confirm your government digital identity)
  • "Activation Mon Espace Santé requise pour continuer" (Mon Espace Santé activation required to continue)

The pattern is identical across all four: a deadline, a generic call to action, and a button that takes you somewhere that is not gouv.fr. Real DINUM and DGOS communications either tell you to log in to your account directly, or arrive on paper.

What real France Connect notifications look like

Before you can spot a fake, you need a baseline for the real flow. France Connect notifications and prompts have stayed consistent since launch.

You never log in directly at a France Connect URL. You start at the public service you actually want to use, like impots.gouv.fr or ameli.fr or antai.gouv.fr. On that service, you click "S'identifier avec France Connect." A bouncer flow then asks you to pick an identity provider: impots, ameli, La Poste Identité Numérique, Yris, or France Identité on mobile. You authenticate there. France Connect is the bridge between two trusted endpoints, not a destination you visit on its own.

Real France Connect has no concept of "account activation expiring." Your impots or ameli account already exists. France Connect just relays the trust. There is no email-only flow that asks you to "reactivate France Connect" by clicking a link. If your impots or ameli account is locked, that is a separate problem handled inside that specific service after a typed-URL login.

Mon Espace Santé invites arrive on paper first. The state sent every insured person in France a printed letter with a temporary code when the service launched in 2022, and new invites for newcomers still arrive by post. Reminders by email can exist, but they never carry a "click to activate within 48 hours or your record is closed" framing. The medical record itself does not expire.

Red flags: 8 signals a France Connect or Mon Espace Santé email is fake

  • The link does not end in gouv.fr. Real French government services use gouv.fr exclusively. Hover before clicking. france-connect-activation.com, franceconnect-identite.fr, monespacesante-officiel.com, and ameli-monespacesante.fr are all hostile lookalikes seen in 2026.
  • Urgency with a deadline. "Sous 24h," "sous 48h," "action immédiate." The state does not run countdown timers on identity verification.
  • Generic salutation. "Cher utilisateur" or "Bonjour" without your name. Real impots and ameli emails address you by name from your account file.
  • Asks you to confirm your identity by clicking a link. Real identity flows happen inside the service you typed in the URL bar, never from an email button.
  • Two brands stitched together. Domains like ameli-monespacesante.fr or impots-franceconnect.com look official but stitch two state brands together. The real state never combines brand names in a domain.
  • Hidden attachment about your file. A PDF claiming to be a tax notice, a medical letter, or a France Connect form. Real services keep documents inside your authenticated portal, not as email attachments.
  • Asks for your tax number, social security number, or bank IBAN to "verify." Real flows already have your numbers on file. They never re-ask by email.
  • Sender address is a free webmail or a random subdomain. Anything ending in @gmail.com, @outlook.fr, @free.fr, or a random .com pretending to be DGFiP, DGOS, or DINUM is fake.

What to do (the safe flow)

  1. Never log in via an email link. If you want to check your impots, ameli, or Mon Espace Santé file, type the address into the URL bar yourself. impots.gouv.fr, ameli.fr, monespacesante.fr. From there, click the France Connect button if the service offers it.
  2. Enable 2FA on impots and ameli. Both services support a code sent by SMS or via the app. It does not protect every chained service automatically, but it raises the cost for any attacker who already has your password.
  3. Check the URL bar for https and the gouv.fr suffix. Real services end in .gouv.fr, not .fr, not .com, not .net. The padlock icon alone is not enough, modern phishing pages get TLS certificates for free.
  4. Use France Identité if you have it. The state's native mobile identity app, built on the new digital ID card, resists phishing because there is no password to steal. It signs cryptographically on your phone.
  5. Keep your contact details current at impots and ameli. Real warnings about unusual activity get posted inside your authenticated portal. A scammer cannot fake what is sitting in your secure messages tab after you log in directly.

One memorable rule: France Connect is a door. You walk through it from inside the building you typed in the URL bar. You never arrive at it from an email.

What to do if you already fell for it

Move quickly. France Connect is a chained system, which means one stolen credential becomes a problem across every service the attacker can reach with it.

  1. Change the password on every identity provider you use with France Connect. Impots, ameli, La Poste Identité Numérique, Yris. Use a different new password for each. The attacker who has one is testing the others within minutes.
  2. Log in directly (typed URL) at each service the attacker could reach. Impots.gouv.fr, ameli.fr, retraite.fr, ANTAI, ANAH, monespacesante.fr, CPF, Pôle Emploi, MaPrimeRénov'. Check recent activity, address changes, RIB changes, declared dependents, message inbox.
  3. Revoke any France Identité linked devices you do not recognize. Inside the app, check authorized devices and remove anything unfamiliar.
  4. Watch your bank account for unauthorized SEPA debits. A common follow-up is a fake DGFiP "tax refund" or "amende ANTAI" debit. Banks in France give you 13 months to dispute an unauthorized SEPA, but call sooner.
  5. File a CNIL complaint for the data breach itself at cnil.fr/plaintes. CNIL is the regulator and your report fuels enforcement action against the campaign.
  6. Declare to Cybermalveillance.gouv.fr. This is the state's victim-support service for cyber incidents. They walk you through recovery and connect you to local police if needed.
  7. File a plainte at the local commissariat or gendarmerie. A formal police report unlocks bank dispute processes and insurance claims if you have cyber-fraud coverage.

How to report a France Connect or Mon Espace Santé phishing email

Reporting the email itself helps take the campaign down faster. France has a layered reporting setup. Use the one that matches what you have in hand.

  • signal-spam.fr for the email itself. Forward the message or install the plugin. Signal Spam routes the report to ANSSI and to CNIL.
  • Cybermalveillance.gouv.fr if you clicked, entered credentials, or lost money. They are the central victim-support service.
  • cert.ssi.gouv.fr (CERT-FR, run by ANSSI) for the technical infrastructure side. Useful when reporting a phishing kit or a freshly-registered lookalike domain.
  • CNIL at cnil.fr/plaintes for the data-protection complaint, especially if Mon Espace Santé credentials were involved.
  • Internet-signalement.gouv.fr (PHAROS) for criminal content. The national online-crime reporting platform run by the gendarmerie.

Reporting takes five minutes and feeds the same threat-intelligence streams that browser blocklists and SafeBrowz consume.

Updated May 29, 2026.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures run directly in the extension before the page renders. The brand database includes major French government services (France Connect, Mon Espace Santé, impots, ameli, ANTAI, MaPrimeRénov', CPF), so lookalike patterns like france-connect-{verb}.{tld}, monespacesante-{verb}.{tld}, and dual-brand combos (ameli-monespacesante, impots-franceconnect) are flagged the moment the URL hits the address bar.
  • Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLD families for known malicious domains. Many French government lookalikes get reported to PhishTank within hours of going live.
  • Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel French-language variants in seconds, including pages that copy the gouv.fr design system exactly and stand up on a brand-new domain with no blocklist history.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. No per-user browsing history is stored.

Block France Connect lookalike sites before you click

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that blocks fake login pages automatically. It recognizes 550+ brands including France Connect, ameli, impots, Mon Espace Santé, La Poste, and more, all auto-blocked when a page tries to impersonate them. AI content analysis works in over 100 languages and spots new phishing domains the moment they go live, even ones not yet on any blocklist. Free forever, no account needed.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge

Frequently asked questions

Does France Connect ever send "account suspension" emails?

No. France Connect itself does not have an account that can be suspended, because it is a single sign-on that relays trust between an identity provider (impots, ameli, La Poste, Yris, France Identité) and a public service. The state does not send "your France Connect will be suspended" emails. Any message that uses that phrasing is fake.

Is france-connect-activation.com a real government site?

No. Real French government services end in .gouv.fr, never .com and never with hyphenated brand names. france-connect-activation.com, franceconnect-identite.fr, monespacesante-officiel.com, mon-espace-sante-fr.net, and ameli-monespacesante.fr are all known phishing lookalikes seen in 2026.

What is the only real France Connect URL?

The official France Connect domain is franceconnect.gouv.fr, but you almost never visit it directly. You start at the public service you want to use (impots.gouv.fr, ameli.fr, monespacesante.fr, antai.gouv.fr, and so on), click "S'identifier avec France Connect," then pick an identity provider. France Connect is the bridge, not the destination.

What can a scammer do with my France Connect login?

A scammer with your France Connect credentials can sign into more than 1,400 public services tied to that identity. The high-value targets are impots (tax records, address changes, IBAN changes), ameli (social security number, health insurance ID), retraite (pension), CPF (training credit, often drained), MaPrimeRénov' (renovation subsidies redirected to a mule account), ANTAI (parking fine records), and Pôle Emploi (unemployment payouts). Some services have a second factor on sensitive actions, many do not.

Will Mon Espace Santé send me emails to activate?

Mon Espace Santé invites arrive by paper post first. The original launch in 2022 sent every insured person in France a printed letter with a temporary activation code. New invites for newcomers still arrive on paper. Reminder emails can exist, but they never use a "click within 48 hours or your record closes" framing. The medical record does not expire. Any urgent email about Mon Espace Santé is fake.

What should I do if I gave my France Connect credentials to a scammer?

Change the password on every identity provider linked to France Connect (impots, ameli, La Poste Identité Numérique, Yris). Log in directly at each chained service (impots, ameli, retraite, CPF, ANTAI, MaPrimeRénov', monespacesante) and check recent activity, address changes, and IBAN changes. Watch your bank for unauthorized SEPA debits. File a CNIL complaint at cnil.fr/plaintes, declare the incident at Cybermalveillance.gouv.fr, and file a plainte at your local commissariat. Move within 24 hours, the chained attacks happen fast.

Related reading